On Thursday 16 August 2007 15:09, R. W. Rodolico wrote:
> Unfortunately, I have to point to some of the
> user oriented firewalls you get for windoze (which, to my knowledge, Linux
> does not have). When they are installed, the shut down basically
> everything incoming, and all but a few standard outgoing ports (http,
> smtp, pop and imap). When an application tries to go out of another port,
> a pop-up informs the user and they can choose to accept, accept or reject,
> with a "forever" modifier on both, and the firewall changes its rules
> appropriately.
The problem with these lies on 2 levels. The first is that all network traffic
would have to somehow be routed through this application, which in windows is
no big deal as all that is already in place. But we haven't installed that
infrastructure, so it would be tougher to get that running in the first
place. This is not a primary concern regarding the firewall, but it is an
issue if we do eventually decide to integrate a firewall like that.
The second problem is what I pointed out earlier about
Microsoft's "firewall" -- users are pacified by it. If it's there, they get
the message, they have "ok", and "cancel", what does the average user do? The
average user assumes the firewall will protect them no matter what they do,
so they click the "ok" button and get on with what they are doing.
The greatest security hole in any system is the user. You can plug every other
hole there is, and still have break-ins because users haven't been trained
properly. There is no way to secure a system used by uninformed users. A
firewall is only one more thing the user can foul up.
Linux (and debian especially) is inherently more secure than windows in one
regard, firewall or not: we can all contribute to it. The only people
contributing anything to windows are either microsoft, contributing bugs; or
proprietary software companies, contributing proprietary software. This made
a sink-hole where the user really doesn't know what's going on in the
background, can't find out, and can't fix it even if they could find out.
What more could the programmer of a trojan horse (IMO a bigger threat than
anything a firewall will protect us from) ask for, than a user who completely
trusts binary-only distributions?
We're sitting here discussing specific ways debian operates and how we can fix
it. Who can do that in windows? That in itself makes debian more secure.
--
Sincerely,
Jack
jakykong@theanythingbox.com
My GPG Public Key can be found at:
https://www.theanythingbox.com/pgp.htm (top link is current)
I appreciate signatures, but if you only know me online,
please use the --lsign-key, not the --sign-key.
I appreciate trust -- but too much makes it less valuable.